Firewall Wizards mailing list archives
RE: Outlook Web Access - Paranoid?
From: "Symon Thurlow" <sthurlow () webvein com>
Date: Tue, 26 Nov 2002 21:57:08 -0000
Well, you could have a multi tiered approach, IE have 2 DMZ segments (separate from each other) and have your reverse proxy exposed to the Internet in one DMZ segment, then get your reverse proxy to talk to an IIS (or front end EX2K server) in the other DMZ segment, which then talks to your Exchange server internally (all through your Firewall(s)). This means that the proxy has only 80 and 443 exposed to the web, your IIS server only has 80 and 443 exposed to the proxy, and your exchange server(s)/Domain controller(s) only have their souls exposed to the IIS server. It would be reasonably difficult for an intruder to get access to the IIS server (IMHO). OWA has excellent functionality, especially in EX2K, unfortunately using EX2K front end servers requires almost unlimited access to all your key servers, and that just sucks. Symon -----Original Message----- From: Mark L. Evans [mailto:MEvans () CO SLC UT US] Sent: 26 November 2002 18:01 To: 'Firewall-Wizards (E-mail) Subject: [fw-wiz] Outlook Web Access - Paranoid? I have really enjoyed the excellent information I've gleaned from this list over the past few months. I'm in need of some help from the list members on the issue of securing Outlook Web Access. We're trying to come up with the least dangerous method of allowing our users to check their email on MS Exchange. We currently allow them to use POP3 only. Our management would like to use Outlook Web Access. I have followed the issue on several mailing lists. I know it's a bad idea to use Exchange at all but management thinks I am too paranoid on this issue. It seems the best method is a reverse proxy using squid on a DMZ machine and then into the IIS server on the inside over SSL. What are your opinions/suggestions on this issue? Do you have any other methods that are more secure? TIA, Mark L. Evans - CISSP _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards ============================================= This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to postmaster () webvein com and request that the sender's domain be blocked from sending any further emails. ============================================= _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Outlook Web Access - Paranoid? Mark L. Evans (Nov 26)
- Re: Outlook Web Access - Paranoid? Paul Robertson (Nov 26)
- Re: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 26)
- <Possible follow-ups>
- RE: Outlook Web Access - Paranoid? Symon Thurlow (Nov 26)
- RE: Outlook Web Access - Paranoid? Steve Evans (Nov 28)
- RE: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 28)
- RE: Outlook Web Access - Paranoid? Frank Knobbe (Nov 28)
- RE: Outlook Web Access - Paranoid? Christopher Lee (Nov 28)
- Re: Outlook Web Access - Paranoid? Mikael Olsson (Nov 28)
- RE: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 28)
- RE: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 28)
- Re: Outlook Web Access - Paranoid? Paul Robertson (Nov 26)